Saturday, October 31, 2009

I have a Dell PowerConnect 5448 Switch with random workstations connecting at 100mbps instead of 1gbps. This is a new internet cafe with brand new CAT6 cabling. 12 workstations have intel network cards, 28 have broadcom network cards.

If I do a show running config on the switch we can see that the speed is set to 1000 by default for all ports.

One of the PC's that is syncing at 100mbps is on port g33 of the switch. Below I manually configured g33 to force it to be 1gbps.

I then unplugged the CAT6 network cable out of port g33, then plugged it back in so it could re-negotiate speed. Again it came up as 100mbps. I then plugged the machine into a TPLink switch.. it negotiated at 1gbps straight away so it is not the cabling.

The firmware i'm running as of this writing is 2.0.0.41 on the PowerConnect 5448 switch which is the latest at this time.

Please note that this is a random occurrence. If I continue to unplug the network cable and plug it back in, it will eventually negotiate at 1gbps.

This is not the only problem I have found with the Dell PowerConnect 5448 switch. It also delays up to 10 seconds when passing on DHCP requests. Please see:

If the problem persists, contact Symantec Technical Support at http://service.symantec.com.

This is because the Dell PowerConnect 5448 for some reason takes up to 9 seconds to relay a DHCP request from the switch to the DHCP server. The problem could not be resolved, the only resolution was replace the switch.

I had to configure a Dell PowerEdge 5448 switch the other day... the syntax is a little different to that of a Cisco. First lets give the switch an IP address by using a console cable on the main vlan:

I setup my adsl connection with pppoeconf... in the pppoeconf wizard I specify to connect automatically on boot. This adds the following to my /etc/network/interfaces file:

auto dsl-provideriface dsl-provider inet ppp provider dsl-provider# please do not modify the following line pre-up /sbin/ifconfig eth0 up # line maintained by pppoeconf

This ususally automatically connects the adsl connection on boot however for some reason in jaunty it doesnt work. To get around this I just added it to the bottom of my rc.local file in /etc/init.d. I told it to sleep for 10 seconds before trying to connect:

If anyone knows the proper fix please let me know... this is just a handy work around.

Monday, October 26, 2009

I needed the NDIS2 Driver for the Intel 82567 Network Adapters... After surfing the internet for 45 minutes I finally found it. Intel website is so hard to navigate and their search functionality is useless... broadcom is so much easier!

Sunday, October 25, 2009

I have a bunch of linux routers all meshed together running Ubuntu 8.04.3 with OpenVPN. I added a new Ubuntu Jaunty 9.04 router into the mix today, copied my generated private key via scp to the new box and setup a new connector back to another site. When I the VPN using my firewall script I wrote I was getting the following error:

In previous versions of ubuntu there was a group called nobody, now in ubuntu 9 there is just a group called nogroup with a GID of 65534. In previous versions of ubuntu the group nobody had a GID of 1002 so I recreated it with the same GID.

groupadd -g 1002 nobody

OpenVPN failed again, this time I got the following error in the daemon.log file upon restarting it:

In previous versions of ubuntu yes you may have guessed their was a directory called /var/empty. Make this directory with

mkdir /var/empty

Now when I start the VPN I get the following:

However its no longer saying failed... it is coming up as OK and data is passing through the VPN perfectly fine. However it is not liking the key I generated on ubuntu 8 by the looks of it... however it is accepting it. I got it working but if anyone has more information on this, please do leave a comment.

Tuesday, October 20, 2009

We replaced a CISCO router out at remote branch for one of our clients. After doing this network connectivity was there however certain types of traffic were not getting through, kerberos authentication being one of them. The windows boxes on the network were receiving the following LsaSrv errors:

My colleague Jason resolved the problem by enabling ip proxy-arp on the VLAN 1 interface on the new router. Usually under Cisco best practices you need to disable ip proxy-arp. Here was the config that was causing the errors:

I have uninstalled Exchange 2000 many times through Add and Remove programs and never had this before - really weird. The fix for this was to run the exchange setup application of the exchange 2000 CD under D:\Setup\i386\setup.exe, and selecting remove for all exchange components. Maybe the installation files on drive c: were corrupt?

Wednesday, October 14, 2009

When installing the Password Export Server on a Server 2008 Domain Controller in the destination forest, the following error was encountered entering the password for the .pes file security key that was generated in the source forest:

The supplied password does not match this encryption key's password. ADMT's Password Migration Filter DLL will not install without a valid encryption key.

The error that was being generated "the password does not match this encryption key" is bogus, as the password did match. This error was actually being generated by a permission problem to the SAM database caused by UAC (user account control).

To get around this run a command prompt as administrator and launch pwdmig.msi from there. Ensure the command prompt is running as administrator!

Monday, October 12, 2009

In this post I will be going over Dumpster 1.0 which was around in Exchange 2003 and 2007 and how it worked. I will then be covering Dumpster 2.0 in Exchange 2010 and the differences between the two.

What is the Dumpster?

The dumpster is a location that deleted email go after a user has removed them from their mailbox completely. These deleted emails hang around for a retention period of of x amount of days which is configured by the exchange administrator. This is not the deleted items container in outlook or OWA, it is a special place for emails removed entirely from the outlook interface.

Provided the administrator has a retention period setup in place for deleted items, an end user can use Outlook or OWA to recover items out of the exchange mailbox dumpster by using Recover Deleted Items. If there is no retention set, when emails are deleted from a mailbox they are gone forever.

By default permanently deleted emails are retained for 7 days in 2003 and 14 days in 2007.

Dumpster 1.0

Dumpster 1.0 worked by marking items that are permanently deleted with a ptagDeletedOnFlag flag attribute. Items permanently deleted remain in the place they where deleted. If you were to delete an email from outlook or OWA it would normally go to your deleted items. If you were to then delete it from your deleted items it would be marked with the ptagDeletedOnFlag flag attribute.

One thing to note here, you can delete an item from your inbox or another folder in outlook by using Shift + Delete. This will send it straight to the dumpster bypassing the deleted items folder. When you do this it gets marked with the ptagDeletedOnFlag attribute however by default you cannot use the recovered deleted items option in outlook. Recover Deleted Items only work if the item was permanently deleted when residing in the users deleted items out of the box. See below for Inbox the Recover Deleted Items is greyed out.

However for the Deleted Items container it is fine:

There is a registry key you can set on the workstations to allow users to recover items from the dumpster in any directory called DumpsterAlwaysOn, see Microsoft KB886205. I personally always create a custom ADM to enable this key on everyones workstation for dumpster 1.0. Flick me an email or leave a comment if you would like information on how to do this.

Dumpster 2.0

In Exchange 2010 the Dumpster has been redesigned to perform the following actions:- Ensure Exchange Dumpster Data moves with the mailbox- Dumpster data is indexed and discoverable by search- Dumpster data must have a quota- Ability to prevent purging data from a users dumpster- Track editing of certain content (visioning in the dumpster)- Dumpster should be per mailbox not per folder.

In Dumpster 2.0 it no longer flags emails users permanently delete with the ptagDeletedOnFlag attribute. Instead Dumpster 2.0 moves the emails to a new folder under the Non-IPM subtree in the users mailbox called Recoverable Items (note this section of the mailbox cannot be viewed by any client side mail clients, only using MAPI editing software such as MFCMAPI).

Inside the Recoverable Items folder there are three sub-folders, each with a different purpose which will be explained below:- Deletions- Purges- Versions

The Deletions folder replaces the ptagDeletedOnFlag attribute, now emails are moved from their original location to the Deletions folder. If a user empties their Deleted Items folder or Shift Deletes an email, this is where it goes.

In Dumpster 1.0 users were able to delete items from the Recover Deleted Items folder in result permanently removing them. This allowed users to hide incriminating emails which presented a problem with legality issues and court cases. Now in Dumpster 2.0 if a user deletes an email from the Deletions folder using the recover deleted items tool, it simply moves it to the Purges folder. Once in this folder it cannot be recovered with client side exchange software, however in the case its needed an administrator can use MAPI editing software to pull the email out.

The Versions folder is used for whenever an item has changed, a copy-on-write is performed to preserve the original version of the item into this folder. This folder is not exposed to the end user. Copy on write will capture changes in the subject,t body, attachments, senders/recipients, and sent/received dates. Drafts are exempt from the copy-on-write.

Now with transport dumpster there are two types of modes you can enable:- Short-term preservation of data- Long-term preservation of data

Short-term preservation of data

Short-term preservation of data is similar to that of Exchange 2003/2007 just better. This just allows emails to be recovered after a set amount of days after being deleted.

In Exchange 2003/2007 this could only be enabled on a mailbox database level. Now in Exchange 2010 this can be set at a database or mailbox level. If you want to enable retention on a mailbox use:

Set-Mailbox &ltidentity&gt -SingleItemRecoveryEnabled $true

If you dont run this command on a mailbox you will not be able to set deleted items retention against it on a mailbox leve. To set the retentions in exchange 2010 use the following commands:

Please note that calendars items maintain the recoverable items folder structure for 120 days in short-term preservation regardless what retention setting you have in place.

Long-term preservation of data

Customers sometimes require mechanisms by which data is maintained for longer periods of time, say indefinitely. This may be required during a litigation hold that occurs when particular users or individuals are involved in undergoing lawsuits. With Exchange 2010 litigation hold can be enabled by using:

Set-Mailbox &ltidentity&gt -LitigationHoldEnabled $true

Users may go into the the deleted items folder using the recover deleted items tool and delete them, sending them to the purge container. But there they will sit indefinitely with this option set.

Recoverable Items Quotas

Dumpster 2.0 allows you to configure Quota's by using the "RecoverableItemsWarningQuota" or the "RecoverableItemsQuota" policy.

RecoverableItemsWarningQuota provides warnings after the RecoverableItems has exceeded the quota.

RecoverableItemsQuota removes the oldest items in the dumpster to make way for newer items once the quota has been breached.

Thursday, October 1, 2009

Many companies go out and buy expensive third party spam appliances that act as smart hosts in their DMZ before understanding what they have currently purchased when buying Exchange 2007 licenses. In this post I am going to highlight the full extent of Exchange 2007's new anti-spam technology and also provide better alternatives then spam appliances for companies that want to go beyond the functionality provided in Exchange Server. By reading this I hope you achieve a more strategic approach to your anti-spam technology and save money where possible.

People don't know that Exchange 2007 can do spam filtering because all the spam filtering functionality is disabled by default. To enable it you need to run a powershell script located in C:\Program Files\Microsoft\Exchange Server\Scripts called install-AntispamAgents.ps1. This can be enabled on a hub transport server or an edge transport server. Edge Transport is the ideal server to enable anti-spam on as this exchange server role is designed to sit out in the DMZ by itself and communicate with the outside world. For more information about enabling anti-spam agents see:

Below we will be going through the various aspects of Exchange 2007's Anti Spam Technology:

Content filtering

Exchange 2007's Content Filter is called IMF (intelligent message filter). Content Filtering is the same principal regardless what anti-spam device your using. With content filtering, the anti-spam server downloads the entire email, then analyses the email and provides a SCL (Spam Confidence Level) rating from 0 to 9. A value of 9 is definitely spam, a value of 0 is not spam. Like any content filter you can make it stricter or looser... the stricter you make it the more false positives you get (emails that are legit but detected as spam).

You can configure the Content Filter agent to take the following actions on messages according to their SCL rating:

- Delete message- Reject message- Quarantine message

For example, you may determine that messages that have an SCL rating of 7 or higher must be deleted, messages that have an SCL rating of 6 must be rejected, and messages that have an SCL rating of 5 must be quarantined.

The Exchange 2007 intelligent message filter can customized configuring custom words or phrases to be either blocked or allowed to modify the SCL score by whatever value you seem fit.

Exchange 2007's content filter is more powerful than many others on the market including many spam appliances you need to pay for! When you finish reading this article you will understand why.

The Intelligent Message Filter gets updated every 2 weeks by a Microsoft update to ensure it keeps logic about all the new spam emails that are flying around the internet. If your IMF filter is missing lots of stuff, install your windows updates!

There is one disadvantage of IMF however, it cannot scan emails over 11MB in size. These emails will simply pass through unscanned. However the default maximum message size limit on Exchange is only 10MB so for many companies this will not be a problem. It is also very rare that spam emails are over 11MB in size, as spammers want to send as many out as possible to get their message out, they cannot do this if they are sending large emails.

Connection filters are the first thing that is used to check an incoming email. Connection filters look at the IP address of the sender. If the senders IP address is marked against a list, the connection is terminated before the server on the other end before it even gets to send its HELO or EHLO statement in result saving you on bandwidth and CPU by not having to download the spam email, analyses it with a content filter and then decide the action. If a IP is determined as bad the connection is simply dropped!

In the real world you’re mainly going to just use the IP Block List providers. You can configure as many RBL's as you want. However keep in mind when an email comes in, before your exchange server starts receiving the content of the email it needs to query each IP Block List provider on the internet to see if the senders IP address exists in the list – and if so block it. You can find out if a company has too many RBL providers by telneting their SMTP server, if the connection hangs for a while with a black screen before you get the SMTP Banner, that is because they have a fair few RBL providers that their email server is busy checking before accepting communication.

There are hundreds of RBL providers out there on the internet that you can use for free. My faverote RBL provider is spamhaus, its one of the large ones and has a huge list that is regulary kept up to date.

The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

If you want to use all three of these Spamhaus has a RBL list called ZEN that encompasses all three.

Microsoft has their own IP Reputation Service also exclusively to Exchange 2007/2010 customers that you may want to consider implementing as well.

Spam Quarantine stores messages marked at spam by the Intelligence Message Filter. You can quarantine the email in a spam mailbox inside your organization, or deliver the spam email to the users junk email folder or both. For example you can have messages that are at a very high SCL rating to go straight to the spam quarantine which administrators have to review using an outlook client and release it to the user if necessary. You can then have messages that have a borderline SCL rating to get released to the users junk email folder in their outlook.

This is required whenever you have an edge transport server out in your DMZ. The Edge Transport Server is a workgroup PC, it is not a member of your domain and does not have any direct access to active directory. When emails come in from the internet that are addressed to an internal recipient, the edge transport server needs to know if that recipient email address actually exists in the exchange organization. If it doesn’t know this, it may forward emails to your internal hub transport servers for addresses that do not actually exist inside your exchange organization.

Exchange 2007 sends this information to the Edge Transport server using EdgeSync. This is a subscription that is made between the hub transport servers and the edge transport servers that uses ADAM (Active Directory Application Mode) or AD LDS (Active Directory Lightweight Directory Services) is what its called now in server 2008. This is a portable copy of Active Directory. EdgeSync is one way replication and only replicates a couple of attributes that are required by the exchange 2007 edge transport server.

Sender filtering lets you block individual email addresses such as billy@hotmail.com. It also has an option to let you block any emails that come in that do not have a senders email address specified.

Sender ID

Sender ID varifys each email sent from a domain name such as @microsoft.com actually came from @microsoft.com by performing a reverse DNS lookup to ensure the address was not spoofed. It also goes further to verify if there is an SPF (Sender Policy Framework) record int he senders public DNS. SPF records are not defined by many companies when they should be as its part of the IEEE framework. SPF records are a type of custom DNS record such as an A record. You enter it into your public DNS zone file.

Safelist Aggregation blows many anti-spam technologies out of the water as it integrates with the users Outlook client. This functionality collects data from the anti-spam Safe Recipients Lists or Safe Senders Lists and contact data that Outlook users configure and makes this data available to the anti-spam agents on the computer that has the Edge Transport server role installed using EdgeSync. Safelist aggregation can help reduce the instances of false-positives in anti-spam filtering that is performed by the Edge Transport server.

Safelist Aggregation is quite complex to setup and requires users to have entered data into their safe senders, or safe recipients list in outlook which no one ever does right? I find the best way to populate these fields is to enable by group policy "Automatically add people I send e-mail to the Safe Senders List". This enforces the option to be enabled on everyones outlook client for either Outlook 2003, 2007 or 2010.

The data in the Safe Senders is stored in Active Directory and is replicated via Edge Sync to the Edge Transport server. For exchange 2007 RTM you could have 1024 entries in AD for safe senders, with SP1 it went up to 3072. When these records get full, it starts removing the oldest records.

This data is hashed using SHA-256 under the users attributes such as msExchangeSafeSenderHash and msExchangeSafeRecipientHash so its very secure.

When email comes in, the exchange content filter IMF looks to see if the sender is in the users safe senders list and if so greatly reduces the SCL rating applied to the email. This allows you to configure a very tight SCL quarantine rating on your organisation without recieving many false positives.

Sender Reputation gathers statistical information about SMTP Sessions, IMF Content Filtering, Sender ID Verification and general sender behavior and creates a history of the sender’s characteristics. If the data gathered concludes that the sender is a spammer they are added to a block senders list. This means that the senders IP address will be blocked by the connection filter if the user tries repetitively tries to spam the domain. Because connection filters simply block the connection it also means that the Intelligence Message Filter doesn't have to rescan emails that are already going to be spam reducing server load.

You can also configure IP addresses blocked by Sender Reputation to be blocked temporarily for a time period such as 48 hours or whatever you want to define. This means you do not have to worry about removing blocked entries as they will automatically remove themselves. If the offender continues to send spam emails Sender Reputation will then automatically block them for another 48 hours and so on.

For more information on Sender Reputation see and to see how SRL calculates its statistics see:

Exchange 2007 has no built in virus filtering. However it has features such as attachment filtering where you can specify particular types of attachments that are not allowed through. This is known as Attachment Filtering, for more information see:

Additionally using virus RBL lists such as Spamhaus's XBL list, you block all known IP's that have worms/viruses and are currently known to spam. Just with the integrated exchange filtering technology you can protect yourself against most virus threats.

If you do want to do a content level filtering of attachments using an antivirus engine you will need to install an exchange capable mail filtering solution on your edge transport server such as Microsoft Forefront Security or a third party vendor. Also with Forefront Security you get IMF updates every 24 hours instead of every 2 weeks like you do through the standard windows update process.

How does this go in the real world?

From my experiance Exchange 2007's anti-spam technology if setup correctly is extremely effective. Many companies do not use it due to it's complexity to setup.

On my home network I run Exchange 2007 spam filtering. To show you an example of how effective this spam filtering is... In the last 2 weeks I have not recieved any spam emails in my inbox. Looking on the my Exchange Server I have a total of 4263 emails blocked from my RBL providers. Notice I am only using the Spamhaus provider. I could add more in here if I wish. Please note that if an IP is detected by one RBL provider it does not check the others. This is why xbl has the biggest number. Many of these 4263 emails would have had viral attachments.

38 did make it through the connection filter, but IMF picked them up:

My email address is associated to a Microsoft .Net passport as well as being posted all over the internet. Out of all this spam sent to me in the past 2 weeks, not one hit my inbox, not one. This is not saying that the spam filter is bullet proof but it does a very effective job seeming its free technology that comes with exchange 2007 out of the box.

Going Beyond Exchange

If you do want to go beyond the capability integrated into Exchange Server and buy an appliance you need to make sure the appliance supports replication of data such as Safelist Aggregation and the internal Recipient list from Exchange, if you dont set this up correctly it could be less effective then an Edge Transport server.

However personally I would never buy an appliance, I would go to a third party such as messagelabs.com as I have had great success with them in the past or an Exchange Hosted Filtering provider. This requires you directing your company MX records to the filtering provider. The hosted provider then relays the clean emails to your organization. The benefit you get out of this is it reduces your internet bandwidth usage. If spam emails are sent directly to your organization, your servers process the request by checking your RBL providers - if negative, receive the email pass it through your content filter if positive then block it. For a large company this will consume a fair bit of bandwidth just dealing with "crap". Going through a hosted filtering provider eliminates this as they have to deal with spam emails internally.

Final Comments

I hope now you understand the full potential of Exchange 2007's spam filter and consider it before going and wasting money on expensive spam appliances that do pretty much the same thing.

Please provide me with any feedback either by leaving a comment or shooting me an email at clint@kbomb.com.au